The first pillar of our Business Continuity Management System
In the previous blog, we established that Business Continuity Planning (BCP) is not a subset of ISO 31000. BCP starts with the premise that a catastrophe that has led to business interruption. The focus of BCP is not so much on risk mitigation but on recovery post-disaster and consequently, having the ability to recover and offer continuity of service to entities that are dependent on the business.
With this, our attention shifts from mitigating well-defined risks to identifying vital processes, the unavailability of which is unacceptable. The identification of such processes is multidimensional and perception based – meaning an organization could, by law, need certain processes to be available at all times and for others the consequence (financial or otherwise) of not able to provide a certain service is calamitous. The challenge then for a Business Continuity Management System provider is to deliver a common platform that identifies, measures and manages the processes which in lead to the establishment of the first pillar of a Business Continuity Management System – Business Impact Analysis (BIA).
The essential role of BIA is to probe, collect and identify all factors that are likely to disrupt a critical process. A Business Continuity Management System should prompt and guide in identifying all the key factors affecting a business process thereby laying the groundwork for a sound BIA framework.
While identifying the processes that are key to the business, we also tend to ascertain that target time for bringing these processes back online. In BCP parlance the target time for each process to resume as normal is known as Recovery Time Objective (RTO). This identification of an acceptable RTO is the cornerstone of Business Impact Analysis.
To sum it up: a key challenge in designing BCMS software has been to create a comprehensive blueprint to carry out ‘Business Impact Analysis’. A successful BIA is inherently multi-faceted, touching several departments, impacting many related parties, encompassing risks of varying intensity. Once this analysis is successfully carried out, the battle of developing a sound BCMS is won. But let us not forget that BIA is just the starting point and the first pillar. There are many more venues to be explored to implement a successful BCMS, venues that we will explore in the next post.